Hi !
I set up a Vault server mainly to store secrets and to enable access to a dedicated server (an Ansible server, which can only access, read secrets and then use them inside a playbook).
I manually succeed to create a Policy, an AppRole and link them together from vault CLI.
My policy is quite easy, it just allows read and list capabilities on a path.
My AppRole is quite easy too as it just restrict the use from a single IP address (my ansible server) and set token ttl to 1h.
Then, i’m manually able to retrieve RoleID, write a SecretID and then generate a token that i can use from Ansible server, inside a playbook.
Here’s some interrogation :
At the moment, to generate token for my AppRole, i must manually connect to my Vault server (and use root token which isn’t a good thing i guess) then launch those commands :
vault read auth/approle/role/My-approle/role-id
vault write -force auth/approle/role/My-approle/secret-id
vault write auth/approle/login role_id="xxxxxx" secret_id="YYYYYYY"
First of all, is it possible to avoid to use root token to authenticate to my vault server ?
In a second time, is it possible to automatically retrieve (if allowed) an approle token from my Ansible server ?
Thanks a lot for your help and ideas.
Gael